How to Set Up a Firewall with iptables on Ubuntu and CentOS

In this tutorial, we are going to show you how to set up a firewall with iptables on a Linux VPS running Ubuntu or CentOS as an operating system. Iptables is an administration tool for IPv4 packet filtering and NAT and it is used to set up and manage the tables of IPv4 packet filter rules in the Linux kernel.

Properly configuring and setting up a firewall is one of the most important and crucial things you need to do to secure your server.

With iptables, several different packet matching tables are defined and each table can contain a number of built-in chains as well as some chains defined by the user. The chains are actually lists of rules that match set of packets and each rule specifies what to do with the matched packet.

The default table is the filter table and it contains the built-in chains INPUT, FORWARD, and OUTPUT. The INPUT chain is used for packets destined to local sockets, the FORWARD chain is used for packets being routed through the box while the OUTPUT chain is used for locally-generated packets.

The firewall rules specify what to do with a certain packet if it matches certain criteria and in case the packet doesn’t match the criteria, the next firewall rule defined in the chain will be examined. This is a very important thing to know when defining the firewall rules because you can easily lock yourself out of your server if you define the rule which accepts packets from your local IP address after the blocking rule.

The targets you can use for the firewall rules are ACCEPT, DROP, QUEUE and RETURN. ACCEPT will let the packet through, DROP will drop the packet, QUEUE will pass the packet to the userspace while RETURN will stop the packet traversing of the current chain and will resume at the next rule in the previous chain. The default chain policy will define what to do with a packet if it doesn’t match certain firewall rule. As you can see in the output of the first command, the default policy for all built-in chains is set to ACCEPT. ACCEPT will let the packet go through so basically there is no protection.

Next, allow access to your server via SSH for your local IP address so only you can access the server:

sudo iptables -A INPUT -s 111.111.111.111 -p tcp --dport 22 -j ACCEPT

Where 111.111.111.111 is your local IP address and 22 is the listening port of your SSH daemon. In case your local IP address changes dynamically it is best to omit the -s 111.111.111.111 part and use a different method to protect the SSH service from unwanted traffic.

If you are using a CentOS VPS you can save the firewall rules using the command below:

service iptables save

Of course, you don’t have to do any of this if you use one of our Fully Managed VPS Hosting services, in which case you can simply ask our expert Linux admins to help you configure your iptables on your server. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on How to Set Up a Firewall with iptables on Ubuntu and CentOS, please share it with your friends on the social networks using the buttons below or simply leave a comment in the comments section. Thanks.

2 Comments

John
on December 22, 2017 at 15:04

Under the section where it says “If you have other services that you want to allow access to it is best to do that now. Once you are done, you can set the default policy for the INPUT built-in chain to DROP.” there is a command below that reads:
iptables -A INPUT DROP

This should say iptables –
iptables A INPUT -j DROP

Without the -j the system doesn’t know what to do with the “DROP” and therefore returns an error of: